Identity Theft Prevention

Identity Theft Protection

In December 2010, the Congress passed the Red Flag Program Clarification Act of 2010 to remove certain businesses (including medical practices) from the Federal Trade Commission's (FTC) Red Flags Rule, which requires financial institutions and creditors to develop a written plan to prevent and detect identity theft.

The law covers creditors who regularly, and in the ordinary course of business, meet one of three general criteria. They must:

  • obtain or use consumer reports in connection with a credit transaction;
  • furnish information to consumer reporting agencies in connection with a credit transaction; or
  • advance funds to (or on behalf of) someone, except for funds for expenses incidental to a service provided by the creditor to that person.

In many states, there are also regulations that could require a practice to implement some of the features of the Red Flags Program. Even where no regulatory requirement exists, many of the guidelines are still a good idea to protect your patients and your practice from identity theft.

Without a regulatory requirement for extensive documentation, simple practice policy and training resources can be used for this purpose. For instance, a small practice may create a table of practice policies that support activities for preventing identity theft. The practice can then indicate for each item the policy or action to be taken, or where a related written policy already exists.

You may also wish to develop or change some existing documents, such as amending a HIPAA Business Partner Agreement to require these entities to adopt policies to detect and protect against identity theft.

For those practices that are subject to the Red Flags Rule or state legislation that requires a formal program to detect and prevent identity theft, the FTC has also published an online template( This template allows your practice to fill in the blanks provided for each aspect of your program and then print the final document as a policy for your practice. (If you are not subject to the Red Flags Rule, you may wish to omit some sections, such as approval by the Board of Directors.)